Sophos Firewall v18: impact of expired license


Security protection on Sophos Firewall requires a Subscribed/Evaluating subscription.

If a subscription is Expired/Unsubscribed, Sophos Firewall cannot perform corresponding security protection.

Here is table of subscription and security features.

Base firewall Firewall rule, NAT rule, VPN, Wireless Protection, site-to-site RED
Network protection RED appliance, ATP, IPS, Security Heartbeat
Web protection Web Filter, Anti-virus, Application Control
Email protection Anti-spam, Anti-virus, email encryption (SPX), DLP
Web server protection WAF, Anti-virus, reverse proxy
Sandstorm Sandstorm service
Enhanced support It is the minimum subscription for RMA and Sophos Technical Support service
Enhanced plus support It provides more benefits than Enhanced support.

Reference: Sophos (XG) Firewall > Administration Help > Licensing

Base firewall

Once Base firewall becomes Expired/Unsubscribed,

  1. All firewall rules stop working, no matter they are configured to allow or block traffic.
  2. All NAT rules stop working.
    In another word, Sophos Firewall stops applying firewall rule and NAT rule on any traffic.
    The following traffic is allowed and has masquerading applied automatically by Sophos Firewall, even if there is a firewall rule to drop it. 
    • from LAN zone to WAN zone
    • from DMZ zone to WAN zone
    • from LAN zone to LAN zone
    • from LAN zone to DMZ zone
    • from DMZ zone to DMZ zone
    • from DMZ zone to LAN zone
    No other traffic except the above can traverse Sophos Firewall.
  3. No VPN cannot be established.
  4. Site-to-site RED cannot be established.
  5. AP and wireless network stop working.

It applies to Sophos Firewall v18 only.

On Sophos Firewall v17.5 MR15 and earlier, firewall rule and NAT rule still work even if Base Firewall becomes Expired/Unsubscribed.

Email protection

Once Email Protection becomes Expired/Unsubscribed, Sophos firewall delivers email without anti-spam/anti-virus scanning.

It applied to Sophos Firewall v17.5 and v18.

Enhanced support, Enhanced plus support

If both Enhanced support and Enhanced plus support are expired/unsubscribed, Sophos cannot provide RMA and Technical Support service.

It applied to Sophos Firewall  v17.5 and v18.

Edition history

2022-01-14, fixed expired URL

2021-05-31, updated with section "Email protection"

2021-05-24, first release

fixed expired URL
[edited by: taowang at 2:15 AM (GMT -8) on 14 Jan 2022]
  • What about the other licence modules?
    I thought, that REDs are part of the Base Licence (same as for Wireless Protection). So the connection, ACLs and NAT should work for REDs with the base licence.

    If Network Protection expires (and the base license is stil valid), all rules should still apply and control the traffic. But SOFS won't apply Security Heartbeat, IPS, ATP and SSL/TLS inspection, right?

    My expirience with expired Web Protection was, the Web Proxy was reachable - but didn't apply any rule itself (It was on 17.5 - and long ago. I don't know, whether this is valid).

  • Hello TheMonzel,

    The RED device is part of the Network protection license. So you won’t be able to configure a RED device using only the Base License.

    If the Network Protection expires, you’ll be able to configure any module but it won't be enforced.


    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data